Hi,
How can we configure Rapid7 to ensure that all alerts related to specific critical users are assigned ‘Critical’ severity, prioritized, and trigger email notifications?
insightConnect in this case.
Create a webhook that is being triggered on all incoming alerts.
Create a global artifact.
If match increase criticality of event.
1 Like
I second @sgroeneveld approach.
If you already have workflows running automatically for your alerts, you can also just build an ICON workflow that will check all the investigations opened, use the same global artifact, and update the criticality of the investigation if you have a match on the actor/user
Also have a look into the possibility of triggering workflows from 1 workflow.
We use a python script (simple: IF alert = A trigger workflow A).
Otherwise it might get crowded in the workflow itself.
@sgroeneveld any option via InsightIDR itself?
Not that I am aware of. In any case I would add the user to the watchlist.
You can also create a bunch / copy rules and only make them work for a selected group of users. These will be hardcoded which might be a problem.
ICON isn’t that hard to learn and we use it a lot for administrative data loads etc. Worth to look into it.
Thinking about it, what you can do perhaps is create a specific IDR user that receives email per alert (like a normal user with the lowest privileges). Monitor the inbox with whatever tool you have (like Google Mail); forward to a specialy Slack / Team channel IF name === xxx
Not bullit proof I think, but maybe it helps you on the right path.
I do have created user watchlist for specific user which are integrated via AD, but user watchlist addition only results in reflecting ingress/authentications alerts not others
@david_smith @Eric-Wilson @darrick_hall1 @landon_dalke1 @antmar904 @tyler_terenzoni any suggestions?